Embedding Security Behaviour Change
How will you embed the desired security behaviours and culture in your organisation?
Security behaviour change requires a clear vision as well as a coordinated strategy to ensure that interventions are consistent, practical and meaningful.
Before embarking on a change programme, however big or small, it is critical that an organisation is clear on the following:
- The objectives of the change (i.e. the vision or strategy)
- The size and scale of the change (i.e. the gap between where the organisation is now and where it wants to be)
- The actions to implement the change (i.e. the interventions)
- The organisation is ready for the change (i.e. it has the necessary time, resources and buy-in)
- How to communicate the change to the target audience and other key stakeholders (i.e. the communications strategy)
- How to review and evaluate the impact of the change (i.e. the measures of success and key performance indicators)
There is no one right way to deliver change. A bespoke approach, suited to the particular needs and requirements of your organisation will ultimately work best.
CPNI has developed the 5 E’s approach to organisational behaviour change. This provides some overarching principles that organisations are advised to follow when developing a security change programme, drawing on latest behaviour change theory.
Listed below are CPNI's off-the-shelf security behaviour change campaigns and guidance documents that you are welcome to use for free.
- Workplace behaviours (embedding security savvy behaviours in the workplace)
- Employee vigilance (embedding vigilance behaviours when entering or leaving a site)
- My digital footprint (embedding security savvy behaviours online)
- 'Don't take the bait!' (raising awareness of phishing and spear-phishing)
- Security messages for new joiners (guidance on providing security information during the first 12 months of the employee lifecycle)
- Line managers campaign (advice to help managers recognise the important role they play in developing a good security culture)
- Think Before You Link (raising awareness of threats on social media and professional networking sites)